Session Cookie HttpOnly and Secure

Session Cookie HttpOnly and Secure


does any one knows how to force the "Secure" and "HttpOnly" cookie flags in Outsystems?

António Braz
Answering my own question :):

complemented with

<httpCookies domain="" httpOnlyCookies="true|false" requireSSL="true|false" />

Hi António,

Note that some components use cookies that are ment to be accessed in javascript.

For example the Feedback_Message and the Tabs_ClientSide from RichWidgets use cookies that are to control the behavior of the widgets in javascript.
In the Feedback_Message case a cookie is used to prevent the messages to appear multiple times when using the browser "Back" button. If you change cookies to be httpOnly you can either get multiple messages or stop getting messages at all.

João Rosado
Hi João.

I'm not using Tabs_ClientSide, but Feedback_Message may be a problem.
Security Auditing is "advising" the use of HttpOnly to mitigate XSS.

I need to run some tests and I'll let you know the result.

Thanks for your input
António Braz
Hi Antonio,

As the OWASP says (, "the majority of XSS attacks target theft of session cookies". 
The OutSystems platform automatically sets the session cookie as HttpOnly, thereby preventing this exploit.
So, yes, OutSystems still allow access from JavaScript to other cookies, but apparently such access is not a security threat.


Joao Santos